Why mobile apps require access to your data and device tools

Apps often have permission to create and save files in various locations on your devices, some of which are retained even after the apps are uninstalled.

ET Bureau

May 06, 2016, 08:24 IST

By Shadma Shaikh

Do you remember how many times you have clicked “I agree” on the never-ending ‘Terms and conditions’ list for various software downloads, signups and registrations without even scrolling down to the end?

Even if you have survived doing that and you are not paranoid about online security, you ought to be more careful about something else—mobile applications.

It doesn’t stop there. Apps know your exact location at any given point, your house number, restaurants and cinema halls you frequent, and your email account details. Think this is not what you signed up for? Well, actually you did when you selected ‘Accept’ on the pop-up before you installed the apps.

When you install an app or an app update from Google’s Play Store, for instance, you get a pop-up listing all the permissions it requires. This could include permissions to access to your text messages, phone call details, media files, etc. Apps need access to specified content on your phone to fulfil their functionality—a picture-editing app will require access to your phone camera and media files to be able to edit pictures saved in your phone or to take a new picture that it can edit—but several are likely unnecessary.

“Permissions by themselves are harmless and even useful to provide users a good mobile experience,” says Paul Oliveria, researcher at cyber security firm Trend Micro. But since the list of permissions required is long and doesn’t explain its effect, an immediate reaction is to treat it the way you would a ‘Terms and conditions’ agreement—accept without reading the list and move to the next step.

Skipping over these permissions could mean handing over your data to an oblivious app developer or unscrupulous data miners. Letting apps access more data on your phone than required could lead to security risks and expose your personal information. Almost all mobile apps transmit and receive data between phones and remote servers. It has never been more crucial to understand the risks involved in giving mobile apps indiscriminate access to your data and device tools, given that India is the second-biggest market for smartphones after China.

As per a recent report by the Internet and Mobile Association of India, the country will have added 65 million new mobile internet users in just the six months to June 30. By then, India will have 371 million people accessing the internet on their mobile phones, it says. A lot of that internet use will be through mobile applications designed for activities such as shopping, keeping up with friends, watching videos, gaming or paying electricity bills.

Many apps ask for a host of permissions to access data and functions they don’t require. The key lies in identifying the nature of the app and questioning what seem to be unnecessary requests.

A chat app can ask for access to pictures or media files so you are able to share those with your contacts. But you should be wary if it asks to know your location. A gaming app will want to know when you get a phone call so it can pause. But a gaming app requesting access to your text messages or location should raise a red flag.

The latest version of Google’s Android operating system and Apple’s iOS allow users greater flexibility in deciding what permissions to give to apps.

Developers, in the process of making apps more usable, end up asking for access to too many things the apps don’t require, says Bryce Boland, chief technology officer, Asia-Pacific, at cyber security firm FireEye. Some well-known brands, too, have poorly coded apps that end up compromising on security, he said.

Yuval Ben Itzhak, former chief technology officer at security software company AVG Technologies, points out that if data leaving a device via an app is unencrypted— not converted into code to prevent unauthorized access—hackers can ‘look inside’ it and get access to passwords, credit card numbers and other personal details. This is most likely to happen on public Wi-Fi hotspots like those at airports, malls or coffee shops.

Apps often have permission to create and save files in various locations on your devices, some of which are retained even after the apps are uninstalled. A game app that you uninstalled could have retained images in your phone gallery. Another app that also has access to your gallery can now access those images.

A lot of this unnecessary access requirement also has to do with how apps are built and monetized. To make money out of apps, companies often integrate third-party libraries that allow these external entities to push ads and other content on their apps. Attackers can leverage poorly written code or third-party libraries to gain access to a user’s phone or data, says Boland.

Several mobile app developers reuse software libraries from third-party entities to support the functionality they need. For example, a photo app or a mobile wallet app that stores user data on a remote server, or cloud, uses pre-written bits of codes by cloud storage providers like Dropbox.

There have been instances, however, when these components have been identified to be vulnerable to remote attacks. Last year, a particular piece of code on Dropbox that other apps reuse was found to be vulnerable, which could have allowed for theft of sensitive information.

Dropbox fixed the vulnerability. The Indian smartphone market that is dominated by second-hand and low-budget smartphones is more susceptible to mobile security attacks, says Tony Anscombe, senior security evangelist at AVG.

As consumers, if an app is free, we need to figure how its developers make money, says Anscombe. Is it by pushing ads or by providing a premium service upgrade in exchange of money? “If it’s difficult to figure how an app you use is making money, it is highly likely that you as a user are its source of monetization,” says Anscombe.

Apps like these are probably reading your contacts and your browsing history and selling these to data aggregators.

Several popular apps in India, including those of Flipkart, Ola, Myntra and Snapdeal, require a host of permissions that will give them access to tonnes of consumer data. These companies did not reply to queries from ET on their criterion for access requirements. According to an annual mobile security report by chip maker Intel, in the last six months about 37 million devices were affected by malware that originated from mobile app stores. Mobile malware samples increased 24% in the final quarter of 2015 from a year earlier.

Lousy coders or data aggregators are not the only ones to blame, says Boland. Consumers who download apps without reading the permissions sought are also responsible for the increase in the number of ‘incidents’ directed through mobile apps.

“If people ditch apps that ask for a lot of permissions in favour of those that don’t, app developers will be pushed to design apps in a way that they don’t ask for unrequired permissions,” says Boland.